docker harbor 镜像仓库部署笔记
检查旧版本,有就卸载,没有就继续# 设置阿里云镜像仓库# 查看仓库中的docker版本# 安装docker 或指定版本,报网络问题就多试几次(某个包装不上,单独下载下来rpm安装后再重试)#设置启动和开机启动#查看docker状态],EOF。
·
1. 安装docker
#检查旧版本,有就卸载,没有就继续
rpm -qa|grep docker
# 设置阿里云镜像仓库
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
# 查看仓库中的docker版本
yum list docker-ce --showduplicates | sort -r
# 安装docker 或指定版本,报网络问题就多试几次(某个包装不上,单独下载下来rpm安装后再重试)
# yum install -y docker-ce-26.1.4-1.el7.x86_64 docker-ce-cli-26.1.4-1.el7.x86_64 containerd.io-26.1.4-1.el7.x86_64
yum install -y docker-ce docker-ce-cli containerd.io
#设置启动和开机启动
systemctl start docker && systemctl enable docker
#查看docker状态
systemctl status docker
mkdir -p /etc/docker /data/docker
sudo tee /etc/docker/daemon.json <<-'EOF'
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": [
"https://docker.1ms.run",
"https://docker.xuanyuan.me"
],
"live-restore": true,
"log-driver":"json-file",
"log-opts": {"max-size":"500m", "max-file":"3"},
"data-root": "/data/docker"
}
EOF
sudo systemctl daemon-reload
sudo systemctl restart docker
2. 安装docker-compose
# 1. 下载Docker Compose curl -L "https://github.com/docker/compose/releases/download/v2.15.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose # 2. 添加可执行权限 chmod +x /usr/local/bin/docker-compose # 3. 创建软链接 ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose # 4. 验证安装 docker-compose --version
3.安装harbor
-
下载离线安装包 https://github.com/goharbor/harbor/releases
-
离线安装方式,将下载好的离线安装包上传到服务器,我用的版本是2.9.0
cd /usr/local/src tar xvf harbor-offline-installer-v2.9.0.tgz mv harbor /usr/local/ cd /usr/local/harbor cp harbor.yml.tmpl harbor.yml vim harbor.yml grep -v '^$' harbor.yml|grep -v "#" hostname: 172.16.1.182 http: port: 80 harbor_admin_password: Harbor12345 database: password: root123 max_idle_conns: 100 max_open_conns: 900 conn_max_lifetime: 5m conn_max_idle_time: 0 data_volume: /data/harbor trivy: ignore_unfixed: false skip_update: false offline_scan: false security_check: vuln insecure: false jobservice: max_job_workers: 10 job_loggers: - STD_OUTPUT - FILE notification: webhook_job_max_retry: 3 log: level: info local: rotate_count: 50 rotate_size: 200M location: /var/log/harbor _version: 2.9.0 proxy: http_proxy: https_proxy: no_proxy: components: - core - jobservice - trivy upload_purging: enabled: true age: 168h interval: 24h dryrun: false cache: enabled: false expire_hours: 24 mkdir -p /data/harbor ./install.sh WARN[0000] /usr/local/harbor/docker-compose.yml: `version` is obsolete [+] Running 10/10 ✔ Network harbor_harbor Created 0.2s ✔ Container harbor-log Started 0.8s ✔ Container harbor-portal Started 2.3s ✔ Container harbor-db Started 2.2s ✔ Container redis Started 2.3s ✔ Container registryctl Started 2.3s ✔ Container registry Started 2.1s ✔ Container harbor-core Started 2.8s ✔ Container nginx Started 3.6s ✔ Container harbor-jobservice Started 3.5s ✔ ----Harbor has been installed and started successfully.---- #查看运行状态 docker ps
-
浏览器访问IP即可,例如我这里就访问 http://172.16.1.182/
-
如果配置文件中自己没有修改,默认用户名:admin 默认密码:Harbor12345
4.安装后调整
-
设置开机启动
Docker compose 不会伴随docker的启动而启动,需要进行一下设置
执行下述代码即可,如果你的docker-compose.yml目录位置和我不一样,你需要对下面这段代码路径进行自主修改。
cat >/usr/lib/systemd/system/harbor.service <<EOF [Unit] Description=Harbor service with docker-compose Requires=docker.service After=docker.service [Service] Restart=always RemainAfterExit=yes StandardError=null StandardOutput=null WorkingDirectory=/usr/local/harbor ExecStartPre=/usr/bin/docker compose -f /usr/local/harbor/docker-compose.yml down ExecStart=/usr/bin/docker compose -f /usr/local/harbor/docker-compose.yml up -d ExecStop=/usr/bin/docker compose -f /usr/local/harbor/docker-compose.yml down [Install] WantedBy=multi-user.target EOF systemctl daemon-reload && systemctl enable harbor.service #重启docker测试harbor会不会正常运行 systemctl restart docker docker ps
5.docker 使用harbor需要的配置
直接在docker登陆是必要用443端口的https,那么如果我们想用80端口的http,需要额外配置insecure-registries,如果其他服务想登录harbor服务器,需要也需要配置insecure-registries,如下
vim /etc/docker/daemon.json
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": [
"https://docker.1ms.run",
"https://docker.xuanyuan.me"
],
"live-restore": true,
"log-driver":"json-file",
"log-opts": {"max-size":"500m", "max-file":"3"},
"data-root": "/data/docker",
"insecure-registries": ["172.16.1.182"]
}
#重启docker生效
systemctl restart docker
6.harbor使用
1. 创建用户
2. 创建项目和授权
6. docker登录仓库并推送镜像
docker login 172.16.1.182
Username: ouyang
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
goharbor/harbor-exporter v2.9.0 206e5b26f947 23 months ago 105MB
docker tag goharbor/harbor-exporter:v2.9.0 172.16.1.182/zjops/harbor-exporter:v2.9.0
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
172.16.1.182/zjops/harbor-exporter v2.9.0 206e5b26f947 23 months ago 105MB
docker push 172.16.1.182/zjops/harbor-exporter:v2.9.0
5ab1deca79df: Pushed
4594ca3e621b: Pushed
0a0628010019: Pushed
b64768d458bb: Pushed
88314a2b8588: Pushed
v2.9.0: digest: sha256:3bb63cb5195e6440e916f86ddc451b3d3858c6f7856a06bea75b768174b7dc2e size: 1371
7.web端查看镜像推送成功
8.自制证书配置HTTPS(不建议!!!)
[root@k8s-harbor ~]# cd harbor
[root@k8s-harbor harbor]# vi generate_cert.sh
#!/bin/bash
# 提示用户输入信息
read -p "请输入 IP 地址 (如果没有请留空): " IP_ADDRESS
read -p "请输入域名 (如果没有请留空): " DOMAIN
read -p "请输入证书存储目录 (例如 /usr/local/harbor/certs): " CERT_DIR
# 设置证书文件路径
CERT_KEY="${CERT_DIR}/harbor.key"
CERT_CRT="${CERT_DIR}/harbor.crt"
CSR_FILE="${CERT_DIR}/harbor.csr"
REQ_FILE="${CERT_DIR}/harbor.req"
# 创建证书存放目录(如果不存在)
mkdir -p $CERT_DIR
# 生成私钥
openssl genrsa -out $CERT_KEY 4096
# 生成证书请求配置文件
cat > $REQ_FILE <<EOF
[req]
default_bits = 4096
default_keyfile = $CERT_KEY
default_md = sha256
default_country = CN
default_state = SHANXI
default_city = XIAN
default_org = DEVOPS
default_email = email@example.com
default_commonname = $DOMAIN
req_extensions = req_ext
distinguished_name = req_distinguished_name
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default= SHANXI
localityName = Locality Name (eg, city)
localityName_default = XIAN
organizationName = Organization Name (eg, company)
organizationName_default = DEVOPS
emailAddress = Email Address
emailAddress_default = email@example.com
emailAddress_max = 64
[req_ext]
subjectAltName = @alt_names
[alt_names]
EOF
if [ -n "$IP_ADDRESS" ]; then
echo "IP.1 = $IP_ADDRESS" >> $REQ_FILE
fi
if [ -n "$DOMAIN" ]; then
echo "DNS.1 = $DOMAIN" >> $REQ_FILE
fi
# 生成证书请求(CSR)
openssl req -new -key $CERT_KEY -out $CSR_FILE -config $REQ_FILE
# 生成自签名证书
openssl x509 -req -in $CSR_FILE -signkey $CERT_KEY -out $CERT_CRT -days 365 -extfile $REQ_FILE -extensions req_ext
# 如果需要保留临时文件,请注释掉下一行
# 清理临时文件
rm $REQ_FILE $CSR_FILE
echo "证书生成完成:"
echo "私钥: $CERT_KEY"
echo "证书: $CERT_CRT"
#给脚本赋予权限
chmod +x generate_cert.sh
#执行脚本
./generate_cert.sh
Generating RSA private key, 4096 bit long modulus
...........................++
...................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HENAN]:
Locality Name (eg, city) [ZHENGZHOU]:
Organization Name (eg, company) [DEVOPS]:
Email Address [email@example.com]:
Signature ok
subject=/C=CN/ST=HENAN/L=ZHENGZHOU/O=DEVOPS/emailAddress=email@example.com
Getting Private key
证书生成完成:
私钥: /usr/local/harbor/certs/harbor.key
证书: /usr/local/harbor/certs/harbor.crt
vim harbor.yml
https:
port: 443
certificate: /usr/local/harbor/certs/harbor.crt
private_key: /usr/local/harbor/certs/harbor.key
vim /etc/docker/daemon.json
#删除下面配置
"insecure-registries": ["172.16.1.182"]
#重启docker生效
systemctl restart docker
#重装docker
./install.sh
-
配置docker
将 Harbor 服务器的自签名证书(CA 证书)放置在正确的位置,以便 Docker 客户端可以找到并信任它
mkdir -p /data/docker/certs/172.16.1.182 cp /usr/local/harbor/certs/harbor.crt /data/docker/certs/172.16.1.182/ca.crt openssl s_client -connect 172.16.1.182:443 -CAfile /data/docker/certs/172.16.1.182/ca.crt #重新登录docker docker login 172.16.1.182 Authenticating with existing credentials... Login did not succeed, error: Error response from daemon: Get "https://172.16.1.182/v2/": tls: failed to verify certificate: x509: certificate signed by unknown authority #清楚原有用户数据的方法 # 删除 Docker 配置文件中的凭据 rm ~/.docker/config.json #重新登录 docker login 172.16.1.182
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
21
0- 0
已为社区贡献4条内容
所有评论(0)